# Authentication & SSO

As an account administrator, you can manage how your team and users access Cube Cloud.

You can authenticate using email and password, a GitHub account, or a Google account.
Cube Cloud also provides single sign-on (SSO) via identity providers supporting
[SAML 2.0](#saml-20), e.g., Okta, Google Workspace, Azure AD, etc.

Finally, Cube Cloud provides the [LDAP integration](#ldap-integration), enabling
users of [APIs & integrations][ref-apis] to authenticate via an LDAP catalog
and assume roles that work with [data access policies][ref-dap] once [authentication
integration][ref-auth-integration] is enabled.

<SuccessBox>

Authentication is available in Cube Cloud on [all product tiers](https://cube.dev/pricing).<br/>
[SAML 2.0](#saml-20) and [LDAP integration](#ldap-integration) are available on [Enterprise and above](https://cube.dev/pricing) product tiers.

</SuccessBox>

<Diagram
  src="https://ucarecdn.com/e3b3bce2-117e-4cbc-b516-c71b51b98888/"
  style="border: 0;"
/>

## Configuration

To manage authentication settings, navigate to <Btn>Team & Security</Btn> settings
of your Cube Cloud account, and switch to the <Btn>Authentication & SSO</Btn> tab:

<Screenshot src="https://ucarecdn.com/5665f017-07ff-4734-bae5-8d4984470dd7/"/>

Use the toggles in <Btn>Password</Btn>, <Btn>Google</Btn>, and <Btn>GitHub</Btn>
sections to enable or disable these authentication options.

### SAML 2.0

Use the toggle in the <Btn>SAML 2.0</Btn> section to enable or disable the authentication
via an identity provider supporting the [SAML 2.0 protocol][wiki-saml].
Once it's enabled, you'll see the <Btn>SAML 2.0 Settings</Btn> section directly below.

Check the following guides to get tool-specific instructions on configuration:

<Grid imageSize={[56, 56]}>
  <GridItem
    url="sso/google-workspace"
    imageUrl="https://static.cube.dev/icons/google-cloud.svg"
    title="Google Workspace"
  />
  <GridItem
    url="sso/microsoft-entra-id"
    imageUrl="https://static.cube.dev/icons/azure.svg"
    title="Microsoft Entra ID"
  />
  <GridItem
    url="sso/okta"
    imageUrl="https://static.cube.dev/icons/okta.svg"
    title="Okta"
  />
</Grid>

### LDAP integration

Use the toggle in the <Btn>LDAP Integration</Btn> section to enable or disable the
integration with an [LDAP catalog][wiki-ldap].
Once it's enabled, you'll see the <Btn>LDAP Settings</Btn> section directly below.

<InfoBox>

Cube Cloud will be accessing your LDAP server from the IP addresses shown under
<Btn>LDAP Settings</Btn>. If needed, add these IP addresses to an allowlist.

</InfoBox>

You can configure [connection settings](#connection-settings) and use the
<Btn>Test Connection</Btn> button to validate them. You can also configure
[user properties](#user-properties-mapping) mapping, [user roles](#user-roles-mapping) mapping,
and [user attributes](#user-attributes-mapping) mapping.

#### Connection settings

You have to configure the following connection settings:

| Option | Description |
| --- | --- |
| <Btn>LDAP Server URL</Btn>       | Address of your LDAP server |
| <Btn>Use Secure LDAP</Btn>       | Use an encrypted connection (LDAPS) |
| <Btn>Don't Verify CA</Btn>       | Disable certificate authority verification |
| <Btn>Certificate</Btn>           | Certificate for LDAPS in the PEM format |
| <Btn>Certificate Authority</Btn> | Certificate for the private CA in the PEM format |
| <Btn>Key</Btn>                   | Key for mutual TLS (mTLS) in the PEM format |
| <Btn>Bind DN</Btn>               | User name for LDAP authentication |
| <Btn>Bind Credentials</Btn>      | Password for LDAP authentication |
| <Btn>Search Base</Btn>           | Base DN for searching users |
| <Btn>User Object Class</Btn>     | Object class for user entries |

Use the tooltips in Cube Cloud to get more information about each setting.

#### User properties mapping

You have to configure how user data in an LDAP catalog maps to user properties in Cube Cloud.
The following properties are required:

| Property | Description |
| --- | --- |
| <Btn>Login Attribute</Btn> | Login name |
| <Btn>Id Attribute</Btn> | Unique identifier |
| <Btn>Email Attribute</Btn> | Email address |
| <Btn>Name Attribute</Btn> | Full name |

Use the tooltips in Cube Cloud to get more information about each setting.

#### User roles mapping

You can configure how user data in an LDAP catalog maps to roles in Cube Cloud.
You can also use mapped roles with [data access policies][ref-dap] once [authentication
integration][ref-auth-integration] is enabled.

Mapping is performed as follows:
* <Btn>Roles Attribute</Btn> is retrieved from an LDAP catalog.
* Retrieved value is transformed using rules under <Btn>Role mapping</Btn>.
* If the value matches an existing role in Cube Cloud, then the user assumes this role.

Additionally, the user always assumes the role specified under <Btn>Default Cloud role</Btn>.

<Screenshot src="https://ucarecdn.com/e467faa1-bf40-4f29-998a-5ea5244610af/"/>

All roles will be available under `cubeCloud.roles` array in the [security context][ref-security-context]:

```json
{
  "cubeCloud": {
    "roles": [
      "Everyone",
      "manager"
    ]
  }
}
```

#### User attributes mapping

You can also bring more user data from an LDAP catalog to use with [data access policies][ref-dap].
Mapping is performed using the rules under <Btn>Attribute mapping</Btn>.

All mapped attributes and their values will be available under `cubeCloud.userAttributes`
dictionary in the [security context][ref-security-context]:

```json
{
  "cubeCloud": {
    "userAttributes": {
      "fullName": "John Doe",
      "department": "Finance",
      "location": "San Mateo"
    }
  }
}
```

[wiki-saml]: https://en.wikipedia.org/wiki/SAML_2.0
[wiki-ldap]: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
[ref-apis]: /product/apis-integrations
[ref-dap]: /product/auth/data-access-policies
[ref-security-context]: /product/auth/context
[ref-auth-integration]: /product/auth#authentication-integration